Limit-Deterministic Büchi Automata for Linear Temporal Logic

Transcription

1 Limit-Deterministic Büchi Automata for Linear Temporal Logic Salomon Sickert, Javier Esparza, Stefan Jaax, and Jan Křetínský Technische Universität München Abstract. Limit-deterministic Büchi automata can replace deterministic Rabin automata in probabilistic model checking algorithms, and can be significantly smaller. We present a direct construction from an LTL formula ϕ to a limit-deterministic Büchi automaton. The automaton is the combination of a non-deterministic component, guessing the set of eventually true G-subformulas of ϕ, and a deterministic component verifying this guess and using this information to decide on acceptance. Contrary to the indirect approach of constructing a non-deterministic automaton for ϕ and then applying a semi-determinisation algorithm, our translation is compositional and has a clear logical structure. Moreover, due to its special structure, the resulting automaton can be used not only for qualitative, but also for quantitative verification of MDPs, using the same model checking algorithm as for deterministic automata. This allows one to reuse existing efficient implementations of this algorithm without any modification. Our construction yields much smaller automata for formulas with deep nesting of modal operators and performs at least as well as the existing approaches on general formulas. 1 Introduction Translating Linear Temporal Logic (LTL) formulas into ω-automata is a fundamental problem of formal verification, which has been studied in depth. In the automata-theoretic approach to model checking, after computing the automaton for a formula one constructs its product with the state space of the system under consideration and analyses it. Since the product has up to N m states, where N and m are the number of states of the system and the automaton, respectively, and typically N m, it is important to construct automata as small as possible: even a small reduction of m can lead to a much larger reduction of N m. Since non-deterministic ω-automata are typically much smaller than deterministic ones, for standard LTL model checking one translates formulas into non-deterministic Büchi automata. However, this is no longer possible for probabilistic model checking, and the standard approach is to use deterministic Rabin automata (DRA) instead this is for instance the approach of the PRISM tool [3, 22]. Translations of LTL into DRA have been thoroughly studied. Classical translations take a detour through Büchi automata as intermediate step [25, 24, 26], while more recent ones are direct translations [11, 19]. This work is partially funded by the DFG Research Training Group PUMA: Programm- und Modell-Analyse (GRK 1480)

2 It has been known for a long time that automata for probabilistic verification do not need to be fully deterministic: the automata-theoretic approach still works if restricted forms of non-determinism are allowed. For probabilistic verification of Markov chains one can use unambiguous Büchi automata (separated UBA [7], or even non-separated UBA [2]). The translation from LTL to separated UBA involves a single exponential blowup, while the translation to DRA is known to be double exponential. However, UBA cannot be used for the verification of Markov Decision Processes (MDPs). For qualitative verification of MDPs 1 one can use limit-deterministic Büchi automata (LDBA) [27, 6] (also known as semi-deterministic or deterministic-in-the-limit). For quantitative verification of MDPs, limit-deterministic automata are not sufficient in general. However, recently [14], a more complex algorithm for probabilistic model checking was presented, considering products of the system and its parts with several different automata, including LDBA. The translation LTL LDBA is double exponential, and so in principle as expensive as the translation to DRA in the worst case. However, it is easy to find examples where the LDBA is much smaller than the DRA; in particular, in [16] it is shown that the LTL \GU fragment of LTL can be translated to LDBAs with a single-exponential blowup, while the translation to DRA is still double exponential. Further, efficient procedures for LDBA complementation exist [4]. In this paper, we give a compositional translation from full LTL to LDBAs, based on the one from LTL to DRAs recently presented in [11]. We then show that, due to the special form of the resulting LDBAs, the translation can also be used for quantitative model checking of MDPs, and in fact by means of the same algorithm as for DRAs. That is, in order to compute the maximal probability that an MDP M satisfies a formula ϕ we can just construct the product of M and the LDBA for ϕ obtained by our translation, and compute the maximal probability of reaching an accepting end component [3]. The translation of [11] becomes much simpler with LDBAs as target, instead of DRAs. In order to check if a word w satisfies a formula ϕ, our LDBAs use their restricted non-determinism to guess the set of G-subformulas of ϕ that are eventually satisfied by w (i.e., the subformulas Gϕ such that w = FGψ), and the point at which all these subformulas have already become true. At this point the LDBA enters its deterministic component to check that the guess is correct, and that w = ϕ holds under the assumption that the guess is correct. We show that our translation produces LDBA of at most double exponential size, and exhibit a family of LTL formulas for which the smallest LDBA reaches this double exponential bound. We conclude the paper with an experimental evaluation of an implementation of our construction on a large set of benchmarks. We compare the size of the generated LDBA with the size of the DRA provided by the Rabinizer tool, the DRA constructed by LTL2DSTAR, and the LDBA produced by the procedure of [6]: translate the formula into a Büchi automaton, apply the translation of Büchi automata to LDBA described in [6], and simplify the result. For the comparison we use the LTL3BA tool [1] and SPOT [8]. 1 Recall that qualitative verification checks if the property holds with probability 1. 2

3 Outline. Sections 2 and 3 contain preliminaries. Section 4 presents an intuitive overview of the translation by means of an example. Section 5 formally defines the translation, Section 6 describes several optimisations, and Section 7 gives the complexity bounds. Quantitative verification is discussed in Section 8. Experimental results are presented in Section 9. Section 10 concludes and discusses future work. 2 Preliminaries 2.1 Linear Temporal Logic We use a slightly unusual syntax for LTL. We consider formulas without negations and without the Release operator R the dual of the Until operator U but with both F and G. Formulas in the usual syntax are transformed into equivalent formulas in our syntax by pushing negations inside, and in the absence of R using the equivalence (ϕuψ) = ( ψu( ψ ϕ)) G ψ. This may cause the formula to grow exponentially, when formulas are represented by their syntax trees. However, if they are represented by their syntax DAGs, then the transformation only causes a linear blowup. Definition 1 (LTL). A formula of LTL in negation normal form is given by the syntax: ϕ ::= tt ff a a ϕ ϕ ϕ ϕ Xϕ Fϕ Gϕ ϕuϕ where a Ap. An ω-word w is an infinite sequence of letters w[0]w[1]w[2].... We denote the infinite suffix w[i]w[i + 1]... by w i. The satisfaction relation = between ω-words and formulas is inductively defined as follows: w = tt w = ff w = a iff a w[0] w = a iff a w[0] w = ϕ ψ iff w = ϕ and w = ψ w = ϕ ψ iff w = ϕ or w = ψ w = Xϕ iff w 1 = ϕ w = Fϕ iff k. w k = ϕ w = Gϕ iff k. w k = ϕ w = ϕuψ iff k. w k = ψ and 0 j < k. w j = ϕ Given two formulas ϕ and ψ, we denote by ϕ[φ/ψ] the result of substituting ψ for each maximal occurrence of a formula of Φ in ϕ (an occurrence is maximal if it is not a subformula of another occurrence). For example, G(a Gb)[{G(a Gb), Gb}/tt] = tt. Two formulas are equivalent if they are satisfied by the same words. We under-approximate this using propositional equivalence. Definition 2 (Propositional Equivalence). A subformula ψ of ϕ is called proper, if the root of its syntax tree is labelled by either a, a, F, G, U or X. Given a formula ϕ, we assign to it a propositional formula ϕ P as follows: replace every maximal proper subformula ψ by a propositional variable x ψ. Two formulas ϕ, ψ are propositionally equivalent, denoted ϕ P ψ, iff ϕ P and ψ P are equivalent formulas of propositional logic. We denote by [ϕ] P the set of all formulas propositional equivalent to ϕ. 3

4 For example, if ϕ = Xb (G(a Xb) Xb) with ψ 1 = Xb and ψ 2 = G(a Xb), then ϕ P = x ψ1 (x ψ2 x ψ1 ) x ψ1. Thus Xb is propositionally equivalent to ϕ and Xb [ϕ] P. 2.2 Formula Expansion Our translation relies on the After Function af (ϕ, w), read ϕ after w [11]. Intuitively, ϕ holds for ww iff af (ϕ, w) holds after reading w, that is, if w = af (ϕ, w). Definition 3. Let ϕ be a formula and ν 2 Ap a single letter. af (ϕ, ν) is then defined as follows: af (tt, ν) = tt af (ff, ν) = ff { tt if a ν af (a, ν) = ff if a / ν { ff if a ν af ( a, ν) = tt if a / ν af (ϕ ψ, ν) = af (ϕ, ν) af (ψ, ν) af (ϕ ψ, ν) = af (ϕ, ν) af (ψ, ν) af (Xϕ, ν) = ϕ af (Gϕ, ν) = af (ϕ, ν) Gϕ af (Fϕ, ν) = af (ϕ, ν) Fϕ af (ϕuψ, ν) = af (ψ, ν) (af (ϕ, ν) ϕuψ) Furthermore, we generalize the definition to finite words: af (ϕ, ɛ) = ϕ; and af (ϕ, νw) = af (af (ϕ, ν), w) for every ν 2 Ap and every finite word w. Finally, we define the set of from ϕ reachable formulas as Reach(ϕ) = {[ψ] P w. ψ = af (ϕ, w)}. Example 1. Let Ap = {a, b, c} and ϕ = a (b U c). We have af (ϕ, {a}) = tt af (ϕ, {b}) = (b U c), af (ϕ, {c}) = tt, and af (ϕ, ) = ff. The following lemmas show that af has indeed the claimed property, and others. Lemma 1 ([11], Lem. 7). Let ϕ be a formula, and let ww (2 Ap ) ω be an arbitrary word. Then ww = ϕ iff w = af (ϕ, w). Lemma 2 ([11], Lem. 11). Let ϕ be a G-free formula and let w be a word. Then w = ϕ iff there exists i > 0 such that af (ϕ, w 0j ) P tt for every j i. We now show that Reach(ϕ) a building block for the construction is finite, and contains at most a double exponential number of elements. Lemma 3. For every formula ϕ and every finite word w (2 Ap ) : (1) af (ϕ, w) is a boolean combination of proper subformulas of ϕ. (2) If ϕ has n proper subformulas, then Reach(ϕ) has at most size 2 2n. Proof. (1) By definition, every formula is a boolean combination of its proper subformulas. So it suffices to prove that every proper subformula of af (ϕ, w) is also a proper subformula of ϕ. For w = ν this follows by an easy induction on ϕ, and for an arbitrary w by induction on w. 4

5 (2) By (1), every equivalence class [ψ] P Reach(ϕ) can be uniquely identified with a Boolean function over n variables, one for each proper subformula of ϕ. Since there are 2 2n Boolean functions over n variables, we have at most so many equivalence classes. Remark 1. It is easy to show by induction that ϕ P ψ implies af (ϕ, w) P af (ψ, w) for every finite word w. We extend af to equivalence classes by defining af ([ϕ] P, w) := [af (ϕ, w)] P. Sometimes we abuse language and identify a formula and its equivalence class. For example, we write the states of the automaton are pairs of formulas instead of pairs of equivalence classes of formulas. 3 Limit-deterministic Büchi Automata For convenience, we use Büchi automata with an accepting set of transitions, instead of an accepting set of places. We also consider generalized Büchi automata with several sets of accepting transitions. It is well known that all these classes accept the ω-regular languages and there are polynomial-time translations between them. Definition 4 (Transition-based Generalized Büchi Automata). A generalized transition-based Büchi automaton (TGBA) is a tuple B = (Σ, Q,, q 0, α) where Σ is an alphabet, Q is a finite set of states, : Q Σ 2 Q is a transition function, q 0 is the initial state, and α = {F 1, F 2,... F n } with F i Q Σ Q is an accepting condition. A run r of a TGBA B on the ω-word w is an infinite sequence of transitions r = (q 0, w[0], q 1 )(q 1, w[1], q 2 )... respecting the transition function, i.e. r[i] for every i 0. We denote by inf(r) the set of transitions occurring infinitely often in the run. A run is called accepting if for each set of transitions F α there is at least one transition in the run occurring infinitely often, i.e. if inf(r) F. An infinite word w is accepted by B and is in the language L(B) if there exists an accepting run r for w. Intuitively, a TGBA is limit-deterministic if it can be split into a nondeterministic component without accepting transitions, and a deterministic component. The automaton can only accept by jumping from the non-deterministic to the deterministic component, but after the jump must stay in the deterministic component forever. Definition 5 (Limit-Determinism). A TGBA B = (Σ, Q,, q 0, α) is limitdeterministic if Q can be partitioned into two disjoint sets Q = Q N Q D, s.t. 1. (q, ν) Q D and (q, ν) = 1 for every q Q D, ν Σ and 2. F Q D Σ Q D for all F α 4 Overview of the Construction We first explain the main ideas underlying our construction on the formula ϕ = c XG(a Fb), and then show how to generalise them to arbitrary formulas. 5

6 q 0 : ϕ c c ɛ q 3 : tt tt a + b b q 1 : Gψ b ā b q 2 : Gψ Fb ɛ ɛ p 6 : c, c p 7 : tt, ɛ tt ɛ ɛ a + b a b a b p 0 : Fb, (ψ, tt) ā b p 1 : Fb, (Fb, ψ) ā b b b b p 3 : tt, (ψ, tt) ā b b p 4 : tt, (Fb, ψ) ā b a b b p 2 : Fb, (Fb, Fb) p 5 : tt, (Fb, Fb) b b Fig. 1. Automaton A for ϕ = c XG(a Fb). Non-accepting sinks ( ff, ) and transitions to them have been removed. The initial component is above the dashed line, the accepting component below. States in the lower part are tuples of an auxiliary monitor and G-monitors. We abbreviate ψ := (a Fb), and so we write ϕ = c XGψ. The complete automaton for the formula is shown in Figure 1. Each state of the automaton for ϕ is labelled with a formula (the state is the equivalence class of this formula w.r.t. propositional equivalence). The words accepted from the state are exactly those satisfying the formula. We describe the initial and accepting components of the automaton, separated in Figure 1 by the dashed line. The initial component. The states of the initial component are the formulas of Reach(ϕ), with ϕ as initial state. The non-ɛ transitions are given by the af -function: for every state ϕ and letter ν there is a transition labelled by ν leading to af (ϕ, ν). With these transitions the component keeps track of the formula that must be satisfied by the rest of the word. The only non-determinism is introduced by the ɛ-jumps into the accepting component. Imagine the automaton is currently at state ϕ. The automaton has to check that ϕ holds (more formally, that the rest of the run satisfies ϕ ). Intuitively, taking an ɛ-jump corresponds to picking a subset G of the G- subformulas of ϕ, guessing that they currently hold, and guessing further that 6

7 ϕ holds even if no other G-subformula becomes true in the future. In order to see how the automaton can check this guess, we introduce some notation. Definition 6. Given a formula ϕ and a set G of G-formulas, we denote ϕ[g] the result of substituting tt for every G-subformula of G and ff for every other G-subformula. We claim that after the jump the accepting component can check the guess by checking if (a) G ( ψ[g]) holds for every Gψ G, and (b) ϕ [G] holds. Indeed, if Gψ G holds now, then it always holds in the future, and so it can be replaced by tt. Similarly, if Gψ / G, then ϕ should hold even if Gψ never holds in the future, which since formulas are in negation normal form is the case if ϕ holds even after Gψ is replaced by ff. The crucial point now is that the formulas of (a) are of the form Gψ, where ψ is G-free, and the formula in (b) contains no occurrence of G at all. So for the accepting component (described below) it suffices to find deterministic automata for such formulas. As a concrete example, consider the two ɛ-transitions of Figure 1 leaving the state q 0. Since Gψ is the only G-subformula of ϕ, the two possible choices for G are G = {Gψ} and G =. In the first case, the ɛ-transition for G = {Gψ} must lead to a state in charge of checking that (a) G(ψ[G]) = G(a Fb) holds, and (b) ϕ[gψ/tt] = c Xtt P true holds (in this case (b) is trivial). This is the state p 3, whose successors are the part of the accepting component in charge of checking G(a Fb). The ɛ-transition for G = must lead to a state in charge of checking ϕ[gψ/ff] = c Xff P c (if this holds, then ϕ holds, independently of whether Gψ holds or not). This is state p 6. The accepting component. The accepting component consists of several subcomponents, one for each set G of G-formulas. In Figure 1 there are two subcomponents, one with states {p 0,..., p 5 } for G = {Gψ}, and the other with states {p 6, p 7 } for G =. A subcomponent is a product of deterministic automata: a G-monitor for every formula Gψ G, in charge of checking G ( ψ[g]), and an auxiliary monitor for each state ϕ of the initial component, in charge of checking ϕ [G]. Consider for instance the subcomponent with states {p 0,..., p 5 }. It is the product of a three-state G-monitor for Gψ, and a two-state auxiliary monitor for checking Fb. Since ϕ [G] contains no occurrence of G, it is easy to give a deterministic auxiliary monitor, and we do so in Section 5.2. For the G-monitor for G ( ψ[g]) we use a breakpoint construction. Intuitively, the monitor must check that every suffix of the monitored word satisfies ψ, and so after each step it receives ψ as new proof obligation. Its states are pairs of formulas (ρ 1, ρ 2 ). At state (ρ 1, ρ 2 ) the monitor is currently taking care of the proof obligation ρ 1, and has put ρ 2 on hold. Initially ρ 1 = ψ and ρ 2 = tt. Transitions of the form δ((ρ 1, ρ 2 ), a) = (af (ρ 1, a), af (ρ 2, a) ψ ). update the proof obligations according to the af -function, adding ψ to the proof obligation on hold. If ρ 1 = tt then the current proof obligation can be discarded, and the monitor can take care of the one on hold; this is done by a transition δ((tt, ρ 2 ), a) = (af (ρ 2, a) ψ, tt). 7

8 These discarding transitions are accepting. If they are taken infinitely often, then all of the infinitely many proof obligations are eventually discarded. 5 Construction For the formal presentation of the construction, let ϕ be a fixed formula and let Ap be the corresponding set of atomic propositions. Further, let G be the set of G-subformulas of ϕ, i.e. the subformulas of ϕ of the form Gψ. We first describe the initial component without ɛ-transitions, then the accepting component, and then the ɛ-transitions linking the two. 5.1 Initial Component As already sketched, the component keeps track in its state of the formula that must be satisfied by the rest of the word. Definition 7. The initial component for a formula ϕ is the transition system: N = (2 Ap, Reach(ϕ), af, ϕ) 5.2 Accepting Component The accepting component for a subset G G of G-subformulas is the product of one auxiliary monitor and one G-monitor for each Gψ G. First, we show how to build a G-monitor U for a single G-free formula. Second, we construct a product P of these G-monitors. G-Monitor. Let ψ be a G-free formula. We construct a deterministic Büchi automaton U, called the G-monitor for Gψ, recognising L(Gψ). We first give the definition, and then explain the intuition behind it. Definition 8 (G-Monitor). Let ψ be a G-free formula. The G-monitor for ψ is the deterministic Büchi automaton U(Gψ) = (2 Ap, Reach(ψ) Reach(ψ), δ, (ψ, tt), F ) where { (af (ζ, ν) ψ, tt) if af (ξ, ν) P tt δ((ξ, ζ), ν) = (af (ξ, ν), af (ζ, ν) ψ) otherwise F = {((ξ, ζ), ν, p) Q 2 Ap Q af (ξ, ν) P tt} The states of the monitor are pairs (φ 1, φ 2 ) of formulas. Intuitively, from state (φ 1, φ 2 ) the automaton checks if the rest of the run satisfies φ 1 φ 2, but starting with φ 1 and putting φ 2 on hold. The initial state is (ψ, tt). After reading a letter, say ν 1, the automaton moves to δ(ψ, tt) = (af (ψ, ν 1 ), ψ). The meaning is: the automaton checks if the rest of the run satisfies af (ψ, ν 1 ) ψ, but putting the 8

9 check of ψ on hold. If the next letter is, say, ν 2, then the automaton moves to (af (ψ, ν 1 ν 2 ), af (ψ, ν 2 ) ψ), keeping the check of af (ψ, ν 2 ) ψ on hold. However, if af (ψ, ν 1 ν 2 ) = tt, then, the automaton knows already that the word ν 1 ν 2... satisfies ψ, the first check is complete, and the automaton transfers the checks kept on hold to the first position, moving to the state (af (ψ, ν 2 ) ψ, tt). The accepting transitions are those at which the automaton completes a check. If the automaton completes infinitely many checks, then all suffixes of the run satisfy ψ, and so the run satisfies Gψ. Lemma 4. Let ψ be a G-free formula and let w be a word, then w = Gψ iff U(Gψ) accepts w. Proof. Assume w = Gψ. Hence i. w i = ψ. Since ψ is a G-free formula, af will eventually derive tt due to Lemma 2, that is, i. j. af (ψ, w ij ) P tt. Hence U(Gψ) visits infinitely many states (ξ, ζ) such that ξ P tt, and so it accepts. Assume w = Gψ. Let i be a point where w fails to satisfy ψ (w i = ψ). Thus af (ψ, w ij ) P tt for any j. Once af (ψ, w ij ) is propagated from the second component to the first, U(Gψ) never uses an accepting transition again and hence does not accept. Example 2. The G-monitor for Gψ = G(a Fb) is the automaton of Figure 2. p 0 : (ψ, tt) a + b ā b b b p 1 : (Fb, ψ) ā b p 2 : (Fb, Fb) a b b Fig. 2. G-monitor for Gψ = G(a Fb). Product of G-Monitors. Let ϕ be a formula, and let G be the set of all G- subformulas of ϕ. Fix a set G = {Gψ 1,..., Gψ n } G. For every index 1 i n, let U i be the G-monitor for the formula G(ψ i [G]). Definition 9 (Product of G-Monitors). Let U 1,..., U n as above, and let U i = (2 Ap, Q i, δ i, q 0i, F i ). The product of G-monitors of ϕ with respect to G is the generalized deterministic Büchi automaton n n P(G) = ( 2 Ap, Q i, δ i, (q 01,..., q 0n ), {F 1,..., F n} ) i=1 i=1 9

10 where ( (q 1,..., q n ), ν, (q 1,..., q n) ) F i iff (q i, ν, q i ) F i. Lemma 5. Let G be a set of G-formulas and let w be a word. We have: P(G) accepts w iff w = G(ψ[G]) for all Gψ G. Proof. Let G = {Gψ 1,..., Gψ n }, and assume that the formulas are ordered so that if Gψ i is a subformula of ψ j then j < i (so, in particular, Gψ n is not a subformula of any of ψ 1,..., ψ n 1 ). Assume P(G) accepts w. We prove w = G(ψ i [G]) for every 1 i n by induction on n = G. If n = 0, then P( ) trivially accepts all words, and we are done. Let now n > 0. Since Gψ n is not a subformula of any of ψ 1,..., ψ n 1, taking G := G \ {Gψ n } we have ψ i [G] = ψ i [G ] for every ψ i G. In particular, P(G) accepts w, then both P(G ) and U(G(ψ n [G ])) accept w too. By induction hypothesis we have w = G(ψ i [G ]) for every 1 i n 1. By Lemma 4 we obtain w = G(ψ n [G ]). Finally, since ψ i [G] = ψ i [G ] for every ψ i G, we get w = G(ψ i [G]) for every 1 i n. The other direction is analogous. 5.3 Connecting the Initial and Accepting Components We now define the ɛ-transitions leading from states in the initial component to states in the accepting component. Intuitively, each ɛ-transition corresponds to a guess G, and starts the corresponding product P(G). However, recall that if the source of the transition is the state ϕ, then the accepting component must also check that the formula ϕ [G]) holds. For example, for the state q 2 of Figure 1 we have ϕ = Gψ Fb, and choosing G = Gψ we get ϕ [G] P Fb. So, intuitively, the state p 0 starts not only P(G), but also a deterministic automaton for Fb. More formally, p 0 is the initial state of the product of P(G) and this deterministic automaton. The deterministic automaton for ϕ := ϕ [G] is very simple. Since ϕ contains no occurrences of G, by Lemma 2 we can just take the automaton (2 Ap, Reach(ϕ ), af, ϕ, {tt}). That is, the automaton keeps tracking the formula that the rest of the run must satisfy, and accepts iff eventually the formula is tt. Comparing with the initial component N, we observe that this automaton is nothing but N with tt as single accepting state, meaning all outgoing transitions are accepting. We can now define the complete limit-deterministic automaton for a formula ϕ. Definition 10. Let ϕ be a formula. Let N = (2 Ap, Q N, δ N, q 0N ) be the transition system of Definition 7. Furthermore, for every set G of G-subformulas of ϕ, let P(G) = (2 Ap, Q P(G), δ P(G), q 0P(G), {F (G,Gψ) Gψ G}) be the product of Definition 9. The limit-deterministic automaton A is defined as where A = (2 Ap, Q N Q Acc, δ N ɛ Acc, ϕ, {F ξ ξ G}) 10

11 Q Acc = (Q N Q P(G) ) and Acc = (δ N δ P(G) ) G G G G ɛ = {(χ, ɛ, (χ[g], q 0G )) χ Q N, G G} F ξ = { ((tt, q), ν, (tt, q )) (q, ν, q } ) F (G,ξ) G G Example 3. The complete automaton A for ϕ = c XG(a Fb), displayed in Figure 1, consists of the initial component above the dashed line, and the products of the auxiliary monitor with the product automata P for G 1 = {} and G 2 = {Gψ} (below the dashed line) 5.4 Correctness We prove a stronger correctness statement: For every state ψ Q N of the initial component, the words w accepted from ψ are exactly those that satisfy ψ. Before we proceed, we need the notion of a stable set of G-subformulas. Definition 11. A set G G of G-subformulas of ϕ is stable for a word w if the following holds: Gψ G. i 0. w i = Gψ Gψ G \ G. i 0. w i = Gψ Observe that at most one set is stable for a given word, and some words have no stable set. Further, if a set is stable for a word, then it is stable for all its suffixes. Lemma 6. Let ϕ be a formula, and let w be a word with stable set G. Then w = ϕ iff w = ϕ[g]. Proof. (Induction on ϕ) The only non-trivial case is ϕ = Gϕ. Consider two subcases. If Gϕ G, then by the definition of stable set we have w = ϕ and by the definition of ϕ[g] we get ϕ[g] = tt, so w = ϕ[g]. If Gϕ G, then w = Gϕ and ϕ[g] = ff, so w = ϕ[g]. Lemma 7. Let ϕ be a formula, and let w be a word with stable set G. If w = ϕ holds, then A has an accepting run r for w starting at ϕ. Moroever, r immediately switches from ϕ Q N to the accepting component for G. Proof. Assume w = ϕ and assume G is the stable set for w. Let r be the run starting at ϕ that immediately uses the ɛ-transition to jump to the accepting component for G. We show that r is accepting. Since G is a stable set for w, the product automaton P(G) accepts w due to Lemma 5. It remains to prove that the auxiliary monitor eventually reaches tt. By Lemma 6 we have w = ϕ[g]. Since ϕ[g] is G-free, we can apply Lemma 2 and obtain that the auxiliary monitor eventually reaches tt. 11

12 Lemma 8. Let w be a word and let ϕ Q N be a state in the initial component of A. We have: w = ϕ iff A has an accepting run r for w starting at ϕ. Proof. Assume w = ϕ. Let G = {Gψ G w = FGψ} be the set of eventually true G-subformulas, and let i be an index such that w i = Gψ for every Gψ G. Then G is a stable set for w i. Consider the run that first reads w 0(i 1) in the initial component, reaching a state ϕ, and then jumps to the accepting component for the G. By Lemma 1 we have w i = ϕ, and by Lemma 7 the run is accepting. Assume A accepts w. Let r be an accepting run. Let i be the point at which r switches to the accepting component for some set G. By Lemma 5 we have w i = ξ for each ξ G. Since accepting transitions are only taken when the remaining obligations are fulfilled (that is, when the formula in the first position of the tuple is replaced by tt), we also obtain from Lemma 1 w i = af (ϕ, w 0(i 1) )[G]. Because the formulas are in NNF and G {ξ G w i = ξ}, we have w i = af (ϕ, w 0(i 1) ), and, by Lemma 1, we finally get w = ϕ. From this lemma we immediately obtain the correctness: Theorem 1. Let w be a word, then w = ϕ iff A accepts w. Further, staying for an arbitrary number of steps in the initial component is safe, because is it always possible to switch to a successful accepting component: Lemma 9. Let w be a finite word and let ϕ be a formula. We denote by L(q) the language accepted from state q Q A. Then the following inclusion holds: L (q) L (δ N (ϕ, w)) q δ(ϕ,w) Proof. Let q δ(ϕ, w) be an arbitrary state in the accepting component reached after reading w. Let w L(q) and let r be an accepting run for w. We extend r to a run r for ww starting in ϕ Q N by taking the path from ϕ to q as a prefix for r. Iteratively applying Lemma 1 and 8 yields w L(δ N (ϕ, w)): ww L(ϕ) iff ww = ϕ iff w = af (ϕ, w) iff w L(δ N (ϕ, w)) Thus L(q) L(δ N (ϕ, w)) for all q δ(ϕ, w). 6 Optimisations For the experimental evaluation we apply several optimisations to the presented construction: First, ɛ-transitions are removed and replaced by the outgoing edges of the successor state. Second, non-accepting sinks are removed, as they can be easily recognised: from the state ff accepting edges are unreachable. Third, not all ɛ-jumps are necessary: A run starting in Gψ 1 Gψ 2 cannot be accepting in the component for or {Gψ 1 }, since the auxiliary monitor cannot reach tt from ff or Gψ 1 χ. Hence only jumps for (minimal) satisfying assignments of a state 12

13 label (restricted to Gs) are constructed. Fourth, we call a state transient if every run can only visit the state at most once, e.g. it is labelled by Xϕ. As shown in Lemma 9 a jump to the accepting component can safely be delayed. Thus jumps for transient states are not constructed. While these four optimisations suppress the construction of states and edges, also the state labels can be optimised: Fifth, G-monitors can safely replace (ξ, ζ) by (ξ, tt) if ξ implies ζ. In a similar way the auxiliary component removes terms already taken care of by G-monitors. Sixth, all modal operators in state labels are unfolded, reducing the number of states: FGa is rewritten to (FGa) (Ga) and merged with existing states. 7 Complexity Upper Bound. Let n be the length of the formula ϕ. Since Q U(Gψ) and Q N are defined using Reach, the size for Q U(Gψ) and Q N is O(2 2n ). For each G G the accepting component has at most G G-monitors and one auxiliary monitor. Hence the size of the accepting component for a single G is at most ( G + 1) O(2 2n ) = O(2 2n+log log n ). Summing up to: O(2 2n ) + 2 G O(2 2n+log log n ) = O(2 2n+log n+log log n ) Lower Bound. This upper bound is matched by a double exponential (not tight) lower bound. The language used in the proof is an adaptation of [21]. Theorem 2. There is a family of formulas φ n of size O(n 2 ) such that the smallest limit-deterministic state-based Büchi automaton recognising L(φ n ) has at least 2 2n states. Proof. For every n N, let r n be the regular expression over the alphabet Σ = {0, 1, #, $, %}, defined as r n := w {0,1} n % (0 1 #) # w # (0 1 #) $ w Since the language L(r ω n) can be expressed by an LTL formula of size O(n 2 ) (Lemma 10) and the smallest limit-deterministic state-based Büchi automaton recognising L(r ω n) has at least 2 2n states (Lemma 11), the claim holds. Lemma 10. There exists an LTL formula of size O(n 2 ) defining L(r ω n). Proof. The conjunction of the following LTL formulas of size O(n 2 ) defines L(rn): ω % G($ X n+1 %) G( (α β)) (1) α Σ β Σ\{α} G(% X((0 1 #) U( (ϕ(i, 0) ϕ(i, 1)) X n+1 #))) (2) 1 i n 13

14 with ϕ(i, α) := X i α ((0 1 #) U($ X i α)). Formula 1 ensures the basic syntactic properties of r n, and formula 2 enforces that the literal % is always succeeded by a string of the form (0 1 #) #w#(0 1 #) $w using ϕ(i, α) to guarantee the existence of matching substrings #w# and $w. Lemma 11. The smallest limit-deterministic state-based Büchi automaton recognising L(rn) ω has at least 2 2n states. Proof. Let A n be a limit-deterministic state-based Büchi automaton recognising L(r ω n). A state q is called a $-successor if there exists an accepting run r containing the transition (p, $, q) and q is in the deterministic component of A n. For every $-successor q we denote by W(q) = {u {0, 1} n w. uw L(q)} the set of prefixes of length n of L(q). We show that A n has at least one distinct $-successor q for each subset S {0, 1} n, such that W(q) = S. Thus A n has at least 2 2n states, since not all states can be $-successors. We expose these states by the recursively defined sequence s. Let S = {w 1, w 2,... w i } be such a subset and let k := Q n : s(s) := s S (S) s 1 (S) := %#w 1 #... #w i #$w 1 s j (S) := s j 1 (S) k s j 2 (S) k... s 1 (S) k %#w 1 #... #w i #$w j 1 < j i Since s(s) ω L(r ω n) holds for all non-empty S, there exists for each s(s) an accepting run r, such that the sequence is read in the deterministic component. Furthermore by construction we have for each $-successor q encountered reading s(s): W(q) S. Showing that the converse also holds concludes the proof: Proposition 1. Let S = {w 1,... w i }, and let 1 j i. Furthermore, assume the sequence s j (S) is read in the deterministic part during an accepting run. Let q j be the $-successor transitioned to after the last $ of s j (S). Then q j satisfies W(q j ) {w 1,..., w j }. Proof (By induction on j). Case j = 1 is trivial. Case j > 1: By construction s j (S) is equal to s j 1 (S) k+1 up to the last $ and ends with w j instead of w j 1. Since k = Q n and the sequence is read in the deterministic component, q j occurred previously in the run on s j 1 (S) as a $-successor. Hence we apply the induction hypothesis to q j and obtain: W(q j ) {w 1,..., w j 1 }. Since w j occurs after the last $-symbol in s j (S), we have W(q j ) {w 1,..., w j }. 8 Quantitative Probabilistic Model Checking The problem of LTL probabilistic model checking [3] is to determine the probability that an LTL formula ϕ holds on a run generated by a given Markov chain M, i.e., P M {run ρ ρ = ϕ}, or more generally, for Markov decision process M the maximal probability that ϕ is satisfied, i.e., sup σ P M σ{run ρ ρ = ϕ}, where σ ranges over schedulers resolving the non-determinism of M, and M σ is the Markov chain resulting from application of σ to M. 14

15 The automata-theoretic approach to model checking LTL over Markov decision processes amounts to (1) constructing the product M A of the system M and an automaton A for the LTL formula, (2) computing maximal end components (MECs) in the product, (3) determining which MECs are accepting, and (4) determining the maximal probability to reach the accepting MECs. However, as opposed to the non-probabilistic model checking case, in general the automaton A cannot be used if it is non-deterministic. Intuitively, resolving non-determinism of the automaton may depend on the yet unknown, probabilistically given future. For the same reason, limit-deterministic automata are in general applicable only to qualitative probabilistic model checking, i.e., determining whether the satisfaction probability is 0, 1, or neither. We show that our limit-deterministic automata can be used even in the quantitative-analysis algorithm outlined above without conversion to a fully deterministic automaton. Notice that the only non-deterministic transitions present in our construction are ɛ-transitions. This allows us to represent the non-deterministic choice in our LDBA A by means of additional ɛ-actions in the product MDP where each ɛ-action only changes the automaton state. Formally, given a Markov decision process M = (S, Act, P, s 0, Ap, L) with set of states S, set of actions Act, transition probability function P : S Act S [0, 1], initial state s 0 S and labelling function L, and given an automaton A = (2 Ap, Q, δ, q 0, Acc) we define the product (M A) = ( (S Q), Act, P, (s 0, q 0 ), Ap, L ) of M and A as follows. Firstly, for every potential ɛ-transition in A to some state q Q we add a corresponding action ɛ q in the product: Act := Act {ɛ q q Q} As usual, we define for all (s, q), (s, q ) S Q and α Act: L ((s, q)) := L(s) { P ((s, q), α, (s, q P(s, α, s )) := ) if q L(s ) q 0 otherwise Additionally, for all (s, q), (s, q ) S Q, the transition probabilities of the ɛ-actions are given by { P ((s, q), ɛˆq, (s, q 1 if s = s ɛ and q q = ˆq )) := 0 otherwise Now we are going to show that our product can indeed be used for quantitative model checking using the standard techniques. Theorem 3. For any formula ϕ, the automaton A can be used in the standard probabilistic model checking algorithm, i.e., for any Markov decision process M, sup σ P M σ[l(a)] = sup P (M A) σ[ X] σ where X is the set of runs that reach an accepting MEC of M A. 15

16 Proof. The inequality is trivial even for general non-deterministic automata. Indeed, every scheduler over M A induces a scheduler over M (by elimination of ɛ-transitions and subsequent projection) such that for every run (ρ, π) reaching X, where acceptance is guaranteed, we have a run ρ of M that is accepted by A due to π. The scheduler thus resolved the non-determinism also of the automaton. While the inequality generally holds only for deterministic automata, we prove it also for our A. We define a random variable index mapping a run ρ of M, corresponding to a word w, as follows: index(ρ) := min{i Gψ G. w = FGψ = w i = Gψ}. Observe that every run has a finite index. From this point on, the run satisfies all G-formulas that it will ever eventually satisfy; we call the set of these formulas G(ρ). Given a scheduler σ, a state m of M σ is called decided if almost all runs starting in m have index 0. In other words, almost all runs of M σ starting in m satisfy each G-formula already at the beginning or never. Intuitively, G is determined by m. Lemma 12. Let C be a bottom strongly connected component (BSCC) of a Markov chain. Then all states of C are decided and almost all runs ρ in C have the same G(ρ). Proof. Let P s [L] denote the probability that a run of the Markov chain starting in state s induces a word from language L. Now let Gψ G. If for all c C, P c [L(Gψ)] = 1, then we are done. Let now c C be such that P c [L(Gψ)] < 1. We show that for all d C, we have P d [L(Gψ)] = 0, thus also proving P d [L(FGψ)] = 0. Since P c [L(Gψ)] < 1, we have P c [L(F ψ)] > 0. Therefore, with every visit of c there is a positive probability p that ψ will be violated in the next n steps for some n N. Since c is in a BSCC it will be visited infinitely often with probability 1 from any d C. Consequently, P d [L(Gψ)] lim k (1 p) k = 0. We are now ready to prove the inequality. Given a scheduler σ of M, we define a scheduler σ of M A such that P M σ[l(a)] P (M A) σ [ X]. The scheduler σ follows the behaviour of σ up to the point where a BSCC is reached in M σ. A run on M σ will almost surely reach some BSCC in M σ. Let m be the first visited state in a BSCC of M σ. By Lemma 12, m has unique decided G, and σ then chooses the unique ɛ-action ɛ q such that q Q N Q P(G). Having performed this ɛ-action, the scheduler σ then continues to follow the behaviour of σ indefinitely. Note that apart from emulating σ, the constructed scheduler σ only decides when to switch to the accepting component and with which G. Notice that by construction every run ρ σ on M σ corresponds to a run ρ σ on (M A) σ with equal transition probabilities, except for the probability of the ɛ-action, which has neutral probability 1. It thus only remains to show that if a trace of ρ σ is accepted by A then the corresponding run ρ σ, projected to the second component, is also an accepting run on A. To this end, let All be the set of states where A can be after reading the run up to the point where m is reached. In particular, let init, acc All be the source and the target of the ɛ-transition taken if σ is followed, i.e. when the transition from (m, init) to (m, acc) under action ɛ acc is taken. Note that other elements of All correspond to runs of A that either switch at another time or to an accepting part Q N Q P(G ) 16

17 for a different G. In order to show that σ always chooses an accepting run of A if there is one, we have to show that the following constraints are satisfied: Lingering in the initial part and delaying the switch to the acceptance part is safe. Formally: L(init) L(a) (1) a All This is shown in Lemma 9. Switching to the acceptance part is safe upon reaching the BSCC. Formally: P m [L(init)] = P m [L(acc)] (2) From Lemma 12 we obtain a unique G for almost all runs starting in m. Let L(G) denote the set of runs satisfying FGψ for all Gψ G and not satisfying FGψ for all Gψ G. Further, the set of runs not in L(G) has zero probability, formally P m [L(G)] = 0. Hence it is sufficient to show L(init) L(G) = L(acc) L(G). Here is trivial and for let w L(init) L(G). Observe that G is a stable set for w. Let ϕ init be the formula label of init. Because w L(init), w = ϕ init. Thus we can apply Lemma 7 and obtain w L(acc). Remark 2. The limit-deterministic automata of [6] (making its first part deterministic, which is informally mentioned as an option in the paper) and the one of [14] (which is essentially the same) satisfy condition (1). Moreover, they satisfy condition (2), not necessarily upon reaching the BSCC of M σ, but at the latest upon reaching the BSCC of its product with the initial part of the automaton, see [14]. So they can also be used for quantitative probabilistic model checking using the standard algorithm, as implicitly suggested by the more complex on-the-fly variant of the algorithm of [14]. 9 Experimental Evaluation In our experimental evaluation we measure the state size and the number of acceptance sets. We compare our translation to state-of-the-art LTL-to-Büchi and LTL-to-deterministic-Rabin translators. For the first group we use the semi-determinisation of [6] to obtain limitdeterministic systems where the first component only uses the non-determinism for jumping into the second component, starting a breakpoint construction. This approach enables quantitative model checking (see Remark 2). The algorithm is only applied when the automaton is non-deterministic and this translation is necessary. Apart from selecting state-based Büchi automata as output, the tools are left in their default configuration. We compared the following tools 2 where each tool is given at most 4GB of memory and 5 minutes computing time: 2 ltl2ba was left out and the improved successor ltl3ba was used. 17

18 L3 (ltl3ba, 1.1.2) - An enhanced fork of ltl2ba with formula rewriting. [1] S (ltl2tgba, ) - The LTL translator from Spot. Features advanced formula simplification and several post-processing optimisations. [9] L2D (ltl2dstar, 0.5.3) - Translates LTL to deterministic Streett and Rabin automata. Configured to use Spot as a translator from LTL to NBA. [17] R (Rabinizer, 3.1) - Constructs deterministic generalized Rabin automata avoiding Safra s construction. Configured to produce Rabin automata. [19] LD (ltl2ldba) - Implementation of the proposed construction without any postprocessing. Available at: www7.in.tum.de/~sickert/projects/ltl2ldba Büchi Acceptance Rabin Acceptance L3 S LD L2D R j = 1 10 (1) 11 (1) 3 (1) 5 (4) 2 (4) j = 2 21 (1) 21 (1) 4 (2) 17 (6) 3 (6) j = 3 44 (1) 44 (1) 5 (3) 49 (8) 4 (8) j = 4 95 (1) 95 (1) 6 (4) 129 (10) 5 (10) k = 2 40 (1) 62 (1) 5 (2) 4385 (14) 13 (8) k = (1) 571 (1) 9 (3) * 198 (16) ϕ 1 37 (1) 12 (1) 9 (3) 6 (4) 7 (6) ϕ 2 39 (1) 33 (1) 7 (3) 27 (4) 6 (6) ϕ 3 35 (1) 14 (1) 19 (3) 7 (6) 13 (6) f(0, 0) 5 (1) 5 (1) 5 (1) 5 (2) 5 (4) f(0, 2) 16 (1) 16 (1) 10 (1) 10 (4) 7 (4) f(0, 4) 18 (1) 18 (1) 16 (1) 12 (4) 9 (4) f(1, 0) 51 (1) 64 (1) 6 (3) 196 (10) 17 (6) f(1, 2) 138 (1) 345 (1) 28 (3) (22) 33 (6) f(1, 4) 943 (1) 2450 (1) 58 (3) * 70 (6) f(2, 0) 289 (1) 215 (1) 10 (4) (22) 41 (8) f(2, 2) 915 (1) 1061 (1) 46 (4) * 94 (8) f(2, 4) (1) (1) 92 (4) * 139 (8) Σ [5] (353)*** (356) 9518 (889)** (1670)* (2554)** Table 1. Number of states and number of acceptance sets in parenthesis for the constructed automata. The smallest and second smallest state spaces are highlighted. Each resource exhaustion is marked with an additional *. Abbreviated formulas: ϕ 1 = GF(Fa Gb FG(a (Xb)), ϕ 2 = FG(Ga F b GF(a Xb)), ϕ 3 = GF(Fa GXb FG(a XXb)) We consider the following five groups of formulas: 1. The first group of formulas in Table 1 are from the GR(1) fragment of LTL and parametrised by j: j i=1 (GFa i) = j i=1 (GFb i). These have been previously used in [20]. 18

19 2. The second group of formulas are fairness constraints, taken from [11], and are parametrised by k: k i=1 (GFa i FGb i ) 3. The third section looks at formulas with light nesting of modal operators. 4. In the fourth section we explore the effect of deeply nesting modal operators using the parametrised formula f. f(0, j) = (GFa 0 )U(X j b) f(i + 1, j) = (GFa i+1 )U(Gf(i, j)) While the automata sizes are close to each other for i, j = 0, this immediately changes after increasing the parameters controlling the nesting depth. 5. The last entry is cumulative and sums up results for 359 formulas. These formulas are from the collection used in [5]. The authors collected these from existing sources, such as [23, 10, 12, 13], and additionally included randomly generated formulas. 10 Conclusion We present a direct translation from LTL formulas to limit-deterministic Büchi automata. The approach relies on decomposing the formula, constructing small automata for each G and building a product deciding acceptance. The complexity analysis shows that translating LTL to limit-deterministic automata is in the worst case double exponential, which is matched by existing constructions and the novel approach. The experimental section shows that for deeply nested formulas the presented approach outperforms existing tools and in the general case is as good as the other tools. There are several open questions we want to investigate. First, we have not included the Release-operator in the syntax. While this does not have an impact on the expressiveness of the logic, direct support for it would be favourable. Second, it is open, if is possible to adapt the construction such that for the LTL \GU fragment the size is also exponential as in [16]. Third, we would like to investigate the impact of specialised and standard post-processing steps on the size of the automaton. Fourth, we want to study the performance impact of using this construction for quantitative model checking. Finally, in the area of reactive synthesis DRAs can be replaced by good for games Parity automata [15, 18]. Studying the connection to our translation, and a possibility of adapting our work for reactive synthesis is open. Acknowledgments. The authors want to thank Orna Kupferman for suggesting the language for proving the lower complexity bound. References 1. Babiak, T., Křetínský, M., Rehák, V., Strejcek, J.: LTL to Büchi automata translation: Fast and more deterministic. In: TACAS. LNCS, vol. 7214, pp (2012) 19

20 2. Baier, C., Kiefer, S., Klein, J., Klüppelholz, S., Müller, D., Worrel, J.: Markov chains and unambiguous Büchi automata. In: To appear in CAV 2016, preprint available at (2016) 3. Baier, C., Katoen, J.: Principles of model checking. MIT Press (2008) 4. Blahoudek, F., Heizmann, M., Schewe, S., Strejcek, J., Tsai, M.: Complementing semi-deterministic Büchi automata. In: TACAS. LNCS, vol. 9636, pp (2016) 5. Blahoudek, F., Křetínský, M., Strejček, J.: Comparison of LTL to deterministic Rabin automata translators. In: LPAR. LNCS, vol. 8312, pp (2013) 6. Courcoubetis, C., Yannakakis, M.: The complexity of probabilistic verification. J. ACM 42(4), (1995) 7. Couvreur, J., Saheb, N., Sutre, G.: An optimal automata approach to LTL model checking of probabilistic systems. In: LPAR. LNCS, vol. 2850, pp (2003) 8. Duret-Lutz, A.: Manipulating LTL formulas using Spot 1.0. In: ATVA. LNCS, vol. 8172, pp (2013) 9. Duret-Lutz, A.: LTL translation improvements in Spot 1.0. International Journal on Critical Computer-Based Systems 5(1/2), (Mar 2014) 10. Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: ICSE. pp (1999) 11. Esparza, J., Křetínský, J.: From LTL to deterministic automata: A safraless compositional approach. In: CAV. LNCS, vol. 8559, pp (2014) 12. Gastin, P., Oddoux, D.: Fast LTL to Büchi automata translation. In: CAV. LNCS, vol. 2102, pp (2001) 13. Geldenhuys, J., Hansen, H.: Larger automata and less work for LTL model checking. In: SPIN. LNCS, vol. 3925, pp (2006) 14. Hahn, E.M., Li, G., Schewe, S., Turrini, A., Zhang, L.: Lazy probabilistic model checking without determinisation. In: CONCUR. LIPIcs, vol. 42, pp (2015) 15. Henzinger, T.A., Piterman, N.: Solving games without determinization. In: CSL. LNCS, vol. 4207, pp Springer (2006) 16. Kini, D., Viswanathan, M.: Limit deterministic and probabilistic automata for LTL \ GU. In: TACAS. LNCS, vol. 9035, pp (2015) 17. Klein, J., Baier, C.: Experiments with deterministic ω-automata for formulas of linear temporal logic. Theor. Comput. Sci. 363(2), (2006) 18. Klein, J., Müller, D., Baier, C., Klüppelholz, S.: Are good-for-games automata good for probabilistic model checking? In: LATA. LNCS, vol. 8370, pp (2014) 19. Komárková, Z., Křetínský, J.: Rabinizer 3: Safraless translation of LTL to small deterministic automata. In: ATVA. LNCS, vol. 8837, pp (2014) 20. Křetínský, J., Esparza, J.: Deterministic automata for the (F,G)-fragment of LTL. In: CAV. LNCS, vol. 7358, pp (2012) 21. Kupferman, O., Vardi, M.Y.: From linear time to branching time. ACM Trans. Comput. Log. 6(2), (2005) 22. Kwiatkowska, M.Z., Norman, G., Parker, D.: PRISM 4.0: Verification of probabilistic real-time systems. In: CAV. LNCS, vol. 6806, pp (2011) 23. Pelánek, R.: BEEM: benchmarks for explicit model checkers. In: SPIN. LNCS, vol. 4595, pp (2007) 24. Piterman, N.: From nondeterministic Büchi and Streett automata to deterministic parity automata. Logical Methods in Computer Science 3(3) (2007) 25. Safra, S.: On the complexity of omega-automata. In: FOCS. pp (1988) 26. Schewe, S.: Tighter bounds for the determinisation of Büchi automata. In: FoSSaCS. LNCS, vol. 5504, pp (2009) 27. Vardi, M.Y.: Automatic verification of probabilistic concurrent finite-state programs. In: FOCS. pp (1985) 20